From 5e8f59e1913f7912e27785be275243604b036f34 Mon Sep 17 00:00:00 2001
From: ben <ben@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Thu, 19 Feb 2009 17:15:45 +0000
Subject: Better unicode patching for icons. Fixes #789

git-svn-id: https://code.elgg.org/elgg/trunk@2823 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 mod/profile/icondirect.php | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

(limited to 'mod/profile/icondirect.php')

diff --git a/mod/profile/icondirect.php b/mod/profile/icondirect.php
index ce2cc4785..ee7f0a5e3 100644
--- a/mod/profile/icondirect.php
+++ b/mod/profile/icondirect.php
@@ -21,7 +21,27 @@
 
 			
 			$username = $_GET['username'];
-			$username = preg_replace('/[^A-Za-z0-9\_\-]/i','',$username);
+			//$username = preg_replace('/[^A-Za-z0-9\_\-]/i','',$username);
+			$blacklist = '/[' .
+			'\x{0080}-\x{009f}' . # iso-8859-1 control chars
+			'\x{00a0}' .          # non-breaking space
+			'\x{2000}-\x{200f}' . # various whitespace
+			'\x{2028}-\x{202f}' . # breaks and control chars
+			'\x{3000}' .          # ideographic space
+			'\x{e000}-\x{f8ff}' . # private use
+			']/u';
+			if (
+				preg_match($blacklist, $username) ||	
+
+				(strpos($username, '/')!==false) ||
+				(strpos($username, '\\')!==false) ||
+				(strpos($username, '"')!==false) ||
+				(strpos($username, '\'')!==false) ||
+				(strpos($username, '*')!==false) ||
+				(strpos($username, '&')!==false) ||
+				(strpos($username, ' ')!==false)
+			) exit;
+			
 			$userarray = str_split($username);
 				
 			$matrix = '';
-- 
cgit v1.2.3